FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

ID: G0051
Version: 1.1

Techniques Used

EnterpriseT1107File DeletionFIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]
EnterpriseT1086PowerShellFIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderFIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1][2]
EnterpriseT1076Remote Desktop ProtocolFIN10 has used RDP to move laterally to systems in the victim environment.[1]
EnterpriseT1105Remote File CopyFIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]
EnterpriseT1053Scheduled TaskFIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1][2]
EnterpriseT1064ScriptingFIN10 has executed malicious .bat files containing PowerShell commands.[1]
EnterpriseT1033System Owner/User DiscoveryFIN10 has used Meterpreter to enumerate users on remote systems.[1]
EnterpriseT1078Valid AccountsFIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account.[1]


S0363Empire[1]Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Credentials in Files, Data Compressed, Distributed Component Object Model, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation